[GH-ISSUE #3475] enable firejail with chroot allow SFTP without chroot

gitea-mirror commented

2026-05-05 08:51:51 -06:00

Owner

Originally created by @nicovs on GitHub (Jun 22, 2020).
Original GitHub issue: https://github.com/netblue30/firejail/issues/3475

Bug and expected behavior

When implementing an SSH firejail, all works well, but SFTP seems to be not chrooted. I can browse the entire server when using sftp
Current config: SSH access is done over port 2244, SFTP over 22
The config below does not chroot sftp over port 2244.

Sidenode: Subsystem sftp cannot be used in a Match group.

Reproduce
Set sshd_config

Port 22
Port 2244
Protocol 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
AcceptEnv LANG LC_*
AllowAgentForwarding yes
AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keys/%u
ChallengeResponseAuthentication no
Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
HostbasedAuthentication no
IgnoreRhosts yes
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
KeyRegenerationInterval 3600
LogLevel INFO
LoginGraceTime 120
PermitEmptyPasswords no
PermitRootLogin no
PrintLastLog no
PrintMotd no
PubkeyAuthentication yes
RSAAuthentication yes
RhostsRSAAuthentication no
ServerKeyBits 1024
StrictModes yes
Subsystem sftp internal-sftp
SyslogFacility AUTH
TCPKeepAlive yes
UseDNS no
UsePAM yes
UsePrivilegeSeparation yes
X11DisplayOffset 10
X11Forwarding yes
Match Group userjail LocalPort 2244
  AllowAgentForwarding yes
  AllowTcpForwarding yes
  Banner /etc/ssh_banner
  PermitTunnel yes
  X11Forwarding no
Match Group www-data LocalPort 22
  AllowTcpForwarding no
  ChrootDirectory %h
  ForceCommand internal-sftp
  PermitTunnel no
  X11Forwarding no

Environment

Ubuntu 16.04, 18.04
Firejail 0.9.60-1

How can I implement SFTP over port 22, and SSH over port 2244 separately, or make sure that SFTP over 2244 is also chrooted?

Originally created by @nicovs on GitHub (Jun 22, 2020). Original GitHub issue: https://github.com/netblue30/firejail/issues/3475 **Bug and expected behavior** - When implementing an SSH firejail, all works well, but SFTP seems to be not chrooted. I can browse the entire server when using sftp Current config: SSH access is done over port 2244, SFTP over 22 The config below does not chroot sftp over port 2244. Sidenode: Subsystem sftp cannot be used in a Match group. **Reproduce** Set sshd_config ``` Port 22 Port 2244 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key HostKey /etc/ssh/ssh_host_ed25519_key AcceptEnv LANG LC_* AllowAgentForwarding yes AuthorizedKeysFile %h/.ssh/authorized_keys /etc/ssh/authorized_keys/%u ChallengeResponseAuthentication no Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr HostbasedAuthentication no IgnoreRhosts yes KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 KeyRegenerationInterval 3600 LogLevel INFO LoginGraceTime 120 PermitEmptyPasswords no PermitRootLogin no PrintLastLog no PrintMotd no PubkeyAuthentication yes RSAAuthentication yes RhostsRSAAuthentication no ServerKeyBits 1024 StrictModes yes Subsystem sftp internal-sftp SyslogFacility AUTH TCPKeepAlive yes UseDNS no UsePAM yes UsePrivilegeSeparation yes X11DisplayOffset 10 X11Forwarding yes Match Group userjail LocalPort 2244 AllowAgentForwarding yes AllowTcpForwarding yes Banner /etc/ssh_banner PermitTunnel yes X11Forwarding no Match Group www-data LocalPort 22 AllowTcpForwarding no ChrootDirectory %h ForceCommand internal-sftp PermitTunnel no X11Forwarding no ``` **Environment** - Ubuntu 16.04, 18.04 - Firejail 0.9.60-1 How can I implement SFTP over port 22, and SSH over port 2244 separately, or make sure that SFTP over 2244 is also chrooted?

gitea-mirror closed this issue

2026-05-05 08:51:53 -06:00

gitea-mirror commented

2026-05-05 08:51:54 -06:00

Author

Owner

@ghost commented on GitHub (Jun 22, 2020):

When implementing an SSH firejail, all works well, but SFTP seems to be not chrooted. I can browse the entire server when using sftp

In contrast to the ssh command, firejail does NOT sandbox the scp/sftp commands by default. I'm assuming you use(d) firecfg to activate the automatic desktop integration feature. As you can check on your side, the firecfg.config does NOT contain scp/sftp, which means you will have to decide on that yourself. That might change in an upcoming release, but for now you will need to manually create a symlink in /usr/local/bin/sftp pointing to /usr/bin/firejail for that to be running sandboxed. Do the same for scp if needed. You can just copy the existing /usr/local/bin/ssh symlink and rename it appropriately.

Sidenode: Subsystem sftp cannot be used in a Match group.

Are you saying this is a limitation of OpenSSH? Or do you want to limit sftp access by adding it to a Match Group and be able to sandbox it via firejail? If the latter, please have a look at the relevant profiles in /etc/firejail. You can see that ssh.profile has the nogroups option enabled. In sftp.profile the main SSH profile is included, so it will inherit that option too. Try using a sftp.local file to override that via ignore nogroups (possibly other options as well).

On a side-note: a firejail collaborator maintains the firejail PPA that offers the latest releases, including for 16.04 LTS and 18.04 LTS. I'm not saying you need to upgrade. But bug fixes, features and profile changes happen quite frequent, so you might be interested in keeping up with upstream as best you can.

@ghost commented on GitHub (Jun 22, 2020): > When implementing an SSH firejail, all works well, but SFTP seems to be not chrooted. I can browse the entire server when using sftp In contrast to the ssh command, firejail does **NOT** sandbox the scp/sftp commands by default. I'm assuming you use(d) _firecfg_ to activate the automatic desktop integration feature. As you can check on your side, the firecfg.config does **NOT** contain scp/sftp, which means you will have to decide on that yourself. That might change in an upcoming release, but for now you will need to manually create a symlink in /usr/local/bin/sftp pointing to /usr/bin/firejail for that to be running sandboxed. Do the same for _scp_ if needed. You can just copy the existing /usr/local/bin/ssh symlink and rename it appropriately. > Sidenode: Subsystem sftp cannot be used in a Match group. Are you saying this is a limitation of OpenSSH? Or do you want to limit sftp access by adding it to a Match Group and be able to sandbox it via firejail? If the latter, please have a look at the relevant profiles in /etc/firejail. You can see that _ssh.profile_ has the `nogroups` option enabled. In _sftp.profile_ the main SSH profile is included, so it will inherit that option too. Try using a _sftp.local_ file to override that via `ignore nogroups` (possibly other options as well). On a side-note: a firejail collaborator maintains the [firejail PPA](https://launchpad.net/~deki/+archive/ubuntu/firejail) that offers the latest releases, including for 16.04 LTS and 18.04 LTS. I'm not saying you need to upgrade. But bug fixes, features and profile changes happen quite frequent, so you might be interested in keeping up with upstream as best you can.

gitea-mirror commented

2026-05-05 08:51:55 -06:00

Author

Owner

@nicovs commented on GitHub (Jun 22, 2020):

hi @glitsj16 , tnx for your answer.
What I want to implement is:

I've set up a custom

allow users to SSH into my server, using firejail (port 2244)
allow users to SFTP into my server, also firejailed. (preferably port 22, but 2244 is OK, IF chroot works)

I've configured sshd_config so that user in the 'userjail' group, connecting (ssh) on port 2244, are using a custom firejail chroot. However, when connecting via sftp, they are not chrooted., see my initial post.

Using ignore nogroups does not work

My profile:

include /etc/firejail/ssh.profile
include /etc/firejail/vim.profile
include /etc/firejail/disable-passwdmgr.inc
include /etc/firejail/disable-programs.inc
include /etc/firejail/disable-common.inc

blacklist /data*
blacklist /etc/php/*/fpm
blacklist /tmp/.X11-unix
blacklist /tmp/sess_*
blacklist /usr/libexec/netdata*
blacklist /usr/local/sanoid*
blacklist /usr/local/src*
blacklist /usr/share/man
blacklist /var/lib/varnish
blacklist /var/run/acme
blacklist /var/run/apache2
blacklist /var/run/fail2ban
blacklist /var/run/haproxy*
blacklist /var/run/incrond*
blacklist /var/run/netdata
blacklist /var/run/newrelic
blacklist /var/run/php
blacklist /var/run/reboot-required*
blacklist /var/run/redis
blacklist /var/spool/postfix
blacklist /var/www

private-bin awk,basename,bash,cat,chmod,chown,clear,composer,cp,crontab,curl,date,df,dig,dir,dircolors,dirname,dwebp,echo,egrep,env,fgrep,find,git,git-core,grep,groups,gunzip,gzip,head,host,img2webp,less,ln,ls,mesg,mkdir,mktemp,more,mv,mysql,mysqldump,nano,nice,node,nodejs,npm,openssl,php,php?.?,readlink,redis-cli,rm,rmdir,rsync,tail,tar,tee,test,touch,tr,uname,uniq,unlink,unzip,varnishadm,vdir,vi,vim,vim.basic,vim.tiny,vwebp,wc,wget,which,whoami,wkhtmltopdf,xargs,zcat,zip,zless
private-etc alternatives,crontab,fonts,group,hostname,localtime,nsswitch.conf,passwd,php,resolv.conf,services,ssl
private-dev
private-opt ls

# Miscellaneous options
quiet
caps.drop all
disable-mnt
netfilter
nodvd
nogroups
nonewprivs
noroot
nosound
notv
writable-run-user

ssh.local:

#do not blacklist
noblacklist /etc/ssh
noblacklist /tmp/ssh-*
noblacklist ${HOME}/.bash_aliases
noblacklist ${HOME}/.gitconfig
noblacklist ${HOME}/.ssh
noblacklist ${HOME}/.ssh/authorized_keys

#Allow some files to be readwrite
read-write ${HOME}/.bash_aliases
read-write ${HOME}/.ssh/
read-write ${HOME}/.ssh/authorized_keys

ignore nogroups

@nicovs commented on GitHub (Jun 22, 2020): hi @glitsj16 , tnx for your answer. What I want to implement is: I've set up a custom - allow users to SSH into my server, using firejail (port 2244) - allow users to SFTP into my server, also firejailed. (preferably port 22, but 2244 is OK, IF chroot works) I've configured sshd_config so that user in the 'userjail' group, connecting (ssh) on port 2244, are using a custom firejail chroot. However, when connecting via sftp, they are not chrooted., see my initial post. Using ignore nogroups does not work My profile: ``` include /etc/firejail/ssh.profile include /etc/firejail/vim.profile include /etc/firejail/disable-passwdmgr.inc include /etc/firejail/disable-programs.inc include /etc/firejail/disable-common.inc blacklist /data* blacklist /etc/php/*/fpm blacklist /tmp/.X11-unix blacklist /tmp/sess_* blacklist /usr/libexec/netdata* blacklist /usr/local/sanoid* blacklist /usr/local/src* blacklist /usr/share/man blacklist /var/lib/varnish blacklist /var/run/acme blacklist /var/run/apache2 blacklist /var/run/fail2ban blacklist /var/run/haproxy* blacklist /var/run/incrond* blacklist /var/run/netdata blacklist /var/run/newrelic blacklist /var/run/php blacklist /var/run/reboot-required* blacklist /var/run/redis blacklist /var/spool/postfix blacklist /var/www private-bin awk,basename,bash,cat,chmod,chown,clear,composer,cp,crontab,curl,date,df,dig,dir,dircolors,dirname,dwebp,echo,egrep,env,fgrep,find,git,git-core,grep,groups,gunzip,gzip,head,host,img2webp,less,ln,ls,mesg,mkdir,mktemp,more,mv,mysql,mysqldump,nano,nice,node,nodejs,npm,openssl,php,php?.?,readlink,redis-cli,rm,rmdir,rsync,tail,tar,tee,test,touch,tr,uname,uniq,unlink,unzip,varnishadm,vdir,vi,vim,vim.basic,vim.tiny,vwebp,wc,wget,which,whoami,wkhtmltopdf,xargs,zcat,zip,zless private-etc alternatives,crontab,fonts,group,hostname,localtime,nsswitch.conf,passwd,php,resolv.conf,services,ssl private-dev private-opt ls # Miscellaneous options quiet caps.drop all disable-mnt netfilter nodvd nogroups nonewprivs noroot nosound notv writable-run-user ``` ssh.local: ``` #do not blacklist noblacklist /etc/ssh noblacklist /tmp/ssh-* noblacklist ${HOME}/.bash_aliases noblacklist ${HOME}/.gitconfig noblacklist ${HOME}/.ssh noblacklist ${HOME}/.ssh/authorized_keys #Allow some files to be readwrite read-write ${HOME}/.bash_aliases read-write ${HOME}/.ssh/ read-write ${HOME}/.ssh/authorized_keys ignore nogroups ```

gitea-mirror commented

2026-05-05 08:51:56 -06:00

Author

Owner

@reinerh commented on GitHub (Jun 23, 2020):

SFTP is a different sub-system and the normal shell of the users is not invoked.
To chroot SFTP usage, you can also use the ChrootDirectory configuration in your sshd_config (like you already use for www-data).

@reinerh commented on GitHub (Jun 23, 2020): SFTP is a different sub-system and the normal shell of the users is not invoked. To chroot SFTP usage, you can also use the ChrootDirectory configuration in your sshd_config (like you already use for www-data).

gitea-mirror commented

2026-05-05 08:51:57 -06:00

Author

Owner

@reinerh commented on GitHub (Jun 23, 2020):

Maybe it's also possible to specify a different binary for the SFTP subsystem, see the Subsystem setting in sshd_config(5).

@reinerh commented on GitHub (Jun 23, 2020): Maybe it's also possible to specify a different binary for the SFTP subsystem, see the `Subsystem` setting in sshd_config(5).

gitea-mirror commented

2026-05-05 08:51:57 -06:00

Author

Owner

@nicovs commented on GitHub (Jun 24, 2020):

Maybe it's also possible to specify a different binary for the SFTP subsystem, see the Subsystem setting in sshd_config(5).

Unfortunately, you cannot set Subsystem in a Match statement

@nicovs commented on GitHub (Jun 24, 2020): > Maybe it's also possible to specify a different binary for the SFTP subsystem, see the `Subsystem` setting in sshd_config(5). Unfortunately, you cannot set Subsystem in a Match statement

gitea-mirror commented

2026-05-05 08:51:58 -06:00

Author

Owner

@nicovs commented on GitHub (Jun 24, 2020):

SFTP is a different sub-system and the normal shell of the users is not invoked.
To chroot SFTP usage, you can also use the ChrootDirectory configuration in your sshd_config (like you already use for www-data).

When using ChrootDirectory %h, I get /usr/bin/firejail: No such file or directory when trying to SSH... Which is rather logic.

Maybe i'd better try to spawn a 2nd SSH service, instead of doing it all in 1...

@nicovs commented on GitHub (Jun 24, 2020): > SFTP is a different sub-system and the normal shell of the users is not invoked. > To chroot SFTP usage, you can also use the ChrootDirectory configuration in your sshd_config (like you already use for www-data). When using `ChrootDirectory %h`, I get `/usr/bin/firejail: No such file or directory` when trying to SSH... Which is rather logic. Maybe i'd better try to spawn a 2nd SSH service, instead of doing it all in 1...

gitea-mirror commented

2026-05-05 08:51:58 -06:00

Author

Owner

@rusty-snake commented on GitHub (Jun 24, 2020):

did you have a look at ForceCommand?

@rusty-snake commented on GitHub (Jun 24, 2020): did you have a look at ForceCommand?

gitea-mirror commented

2026-05-05 08:51:59 -06:00

Author

Owner

@nicovs commented on GitHub (Jun 24, 2020):

Actually, the solution was quite easy...
Just change the
Subsystem sftp internal-sftp to something like Subsystem sftp /bin/false to disable it globally, and ForceCommand internal-sftp on the Match Group on the Port that needs SFTP. (together with the Chroot of course.

Tnx for helping!

@nicovs commented on GitHub (Jun 24, 2020): Actually, the solution was quite easy... Just change the `Subsystem sftp internal-sftp` to something like `Subsystem sftp /bin/false` to disable it globally, and `ForceCommand internal-sftp` on the Match Group on the Port that needs SFTP. (together with the Chroot of course. Tnx for helping!

gitea-mirror referenced this issue

2026-05-05 10:15:47 -06:00

[PR #2184] [MERGED] Add artha & nitroshare to disable-programs.inc #4211

Rows
Columns

[GH-ISSUE #3475] enable firejail with chroot allow SFTP without chroot #2184